Apparent failure to accept SHA1 signature of root CA when using SECURE256
Description of problem:
Unable to establish a connection ... the verification of the server certificate chain fails reporting an insecure algorithm in the root certificate when SECURE256 is used but not when SECURE128 is used.
Version of gnutls used:
Latest stable: 3.6.16
Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL)
Built from source on CentOS-7 64bit
How reproducible:
gnutls-cli --priority='SECURE256:!VERS-TLS1.0:!VERS-TLS1.1' --debug=1 smartpayivr1005.tstpaypoint.services:443
Actual results:
Processed 133 CA certificate(s). Resolving 'smartpayivr1005.tstpaypoint.services:443'... Connecting to '81.93.230.131:443'...
-
Certificate type: X.509
-
Got a certificate list of 3 certificates.
-
Certificate[0] info:
-
subject
CN=*.tstpaypoint.services,O=Paypoint Network LTD,L=Welwyn Garden City,C=GB', issuer
CN=DigiCert TLS RSA SHA256 2020 CA1,O=DigiCert Inc,C=US', serial 0x07468da604438a91d14e3e9e33d871b9, RSA key 2048 bits, signed using RSA-SHA256, activated2022-01-07 00:00:00 UTC', expires
2023-01-07 23:59:59 UTC', pin-sha256="Sp1tIM1nUNyDQP/3hrC1AlibArWQRyILg0rUOEx0Z1M=" Public Key ID: sha1:d65bd7a88a3f5a554375b033bb3cbc98903935a2 sha256:4a9d6d20cd6750dc8340fff786b0b502589b02b59047220b834ad4384c746753 Public Key PIN: pin-sha256:Sp1tIM1nUNyDQP/3hrC1AlibArWQRyILg0rUOEx0Z1M= -
Certificate[1] info:
-
subject
CN=DigiCert TLS RSA SHA256 2020 CA1,O=DigiCert Inc,C=US', issuer
CN=DigiCert Global Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US', serial 0x06d8d904d5584346f68a2fa754227ec4, RSA key 2048 bits, signed using RSA-SHA256, activated2021-04-14 00:00:00 UTC', expires
2031-04-13 23:59:59 UTC', pin-sha256="RQeZkB42znUfsDIIFWIRiYEcKl7nHwNFwWCrnMMJbVc=" -
Certificate[2] info:
-
subject
CN=DigiCert Global Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US', issuer
CN=DigiCert Global Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US', serial 0x083be056904246b1a1756ac95991c74a, RSA key 2048 bits, signed using RSA-SHA1 (broken!), activated2006-11-10 00:00:00 UTC', expires
2031-11-10 00:00:00 UTC', pin-sha256="r/mIkG3eEpVdm+u/ko/cwxzOMo1bk4TyHIlByibiA5E=" -
Status: The certificate is NOT trusted. The certificate chain uses insecure algorithm. *** PKI verification of server certificate failed... *** Fatal error: Error in the certificate.
Expected results:
Connection should be established ... I think the use of SECURE256 or SECURE128 should make no difference to the verification of the root certificate when that certificate provides a 2048 bit key.